Businesses across the globe are faced with rapidly changing, sophisticated attacks against their IT infrastructure. A typical large organization may have several hundred servers, and managing security can be a challenge. To help businesses combat increasingly complex threats of attackers, operating system vendors have introduced compartmentalization. Similar to the design of a submarine, compartments are logical partitions to provide logical isolation between applications and/or resources. When configured in a secure compartment, an application or resource has restricted access to other resources and/or applications. For example, a compartment specification associated with an application may indicate details of how an application or resource can access other applications and/or resources. The compartments may be enforced by compartmentalization software, for example. A compartment provides greater security for an application or resource, or a system associated with the application or resource, when compared to an application executing outside of a secure compartment, as an application or resource outside of any compartment may have unrestricted access to all system applications and resources. The compartmentalization software, by enforcing compartments according to their compartment specifications, may, for example, implement a MAC (mandatory access control) security policy.
For example, when an application makes a request to use a resource that is not specified in a compartment specification associated with the application, the resource request is denied. Therefore, if the application has been compromised, for example by an external attacker, the application cannot be used by the attacker to access any applications resources not specified in the compartment specification for the application. Where applications or resources are specified, the application cannot be used by the attacker to access those applications or resources in ways not specified in the compartment specification.
An example of a compartment specification may list all possible application and resource requests that may be made by the application, so that the application has full functionality when it executes within a compartment. A compartment specification may be produced, for example, manually by a system administrator, who may need knowledge of the applications and resources on a data processing system, the data processing system itself and the operating system of the data processing system.
It is an object of embodiments of the invention to at least mitigate one or more of the problems of the prior art.